Research at FRIENDS Lab Dongyan Xu Associate Professor Department of Computer Science and Center for Education and Research in Information Assurance and Security (CERIAS) Purdue University

Virtual Infrastructures VIOLIN virtual infrastructure Infrastructure adaptation Infrastructure snapshot Real-world deployment ( Research Overview Malware Defense Honeyfarm (Collapsar) Playground (vGround) VM introspection (OBSERV) OS info. flow (Proc. Coloring) Kernel rootkit (NICKLE) Reverse engr. (AutoFormat) Virtualization Technology (Xen, QEMU, VirtualBox, KVM, VMware)

Project 1: Process Coloring: Information Flow-based Malware Defense  Funded by IARPA through AFRL  One-sentence summary: Propagating and logging provenance information (“colors”) along OS-level information flows for malware detection and sensitive data protection  Prototype integration with Southwest Research Institute Demo CD completed today!

httpd s80httpdrcinit s45named s30sendmail s55sshd s80httpd s30sendmail s45named s55sshd /bin/sh wget Rootkit Local files netcat /etc/shadow Confidential Info /etc/shadow Confidential Info Initial coloring Coloring diffusion Syscall Log Capability 3: Color-based log partition for contamination analysis Capability 3: Color-based log partition for contamination analysis PC Usage Scenario: Server-Side Malware Defense Capability 1: PC malware alert “No shell process should have the color of Apache” Capability 1: PC malware alert “No shell process should have the color of Apache” Capability 2: Color-based identification of malware break-in point Capability 2: Color-based identification of malware break-in point Demo at:

firefox notepad turbotax warcraft Web Browser Tax Editor Games Agobot Tax files PC Usage Scenario: Client-Side Malware Defense Agobot PC malware alert “Web browser and tax colors should never mix” PC malware alert “Web browser and tax colors should never mix” Demo at:

Project 2: Strategic Defense against Kernel Rootkit Attacks  Kernel rootkits: stealthy and foundational threat to cyberspace  Current defense:  Symptom-based detection  Disruption to production system  Manual forensics  Strategic defense:  Proactive indication before attack  Automatic avoidance by “steering away” production system (non-stop operation)  Live forensics for future protection

Integrated Defense Scenario Guest OS VMM Right before attack After threat indication Production VM Fork Avoidance Indication Guest OS VMM Forensics VM Guest OS VMM Production VM Rootkit Profile Kernel Guarding Code Clean-up Forensics

Results with Real-World Kernel Rootkits  Indicating and preventing kernel rootkit attacks at VMM level [RAID08 Best Paper Award]

Thank you! For more information: URL: (on a VM) Google: “Purdue virtualization friends”

NICKLE: Kernel Rootkit Indicator “ No Instruction Creeping into Kernel Level Executed” NICKLE Standard memory Kernel Code Shadow memory VMM Guest OS  Step 1: Create two memory spaces  Standard memory  Shadow memory  Step 2: Authenticate and copy kernel code to shadow memory  Step 3: Memory access dispatch  Kernel code fetch -> shadow memory  All other accesses -> standard memory Kernel Code

Collapsar Honeyfarm Domain B Domain A Domain C Front-End VM-based Honeypots Management Station Collapsar Center Correlation Engine Redirector Collapsar Honeyfarm Redirector Benefit 1: Centralized management of honeypots w/ distributed presence Benefit 2: Off-site attack occurrence Benefit 3: Convenience for real-time attack correlation and log mining [USENIX Security’04]

Malicious Web Server VM-based Honeypots Domain B Domain A Domain C Front-End Collapsar Center Redirector Collapsar as a Client-side Honeyfarm  Active Honeypots w/ Vulnerable Client-side Software  Web Browsers (e.g., IE, Firefox, …)  Clients (e.g., Outlook, …) [ HoneyMonkey, NDSS’06] PlanetLab (310 sites) 288 malicious sites / 2 zero-day exploits

 Upon Clicking a malicious URL  22 unwanted programs installed without user’s consent! MS MS MS * {CURSOR: url(" try{ document.write('<object data=`&#109&#115&#45&#105&#116&#115&#58 &#109&#104&#116&#109&#108&#58&#102&#105&#108&#101: //C:\fo'+'o.mht!'+' 'm::/targ'+'et.htm` type=`text/x-scriptlet`> '); }catch(e){} A Real Incident [JPDC’06]

vGround: A Virtual Worm Playground (demo) dallas.cs.purdue.edu  High fidelity  VM: full-system virtualization  Strict confinement  VN: link-layer network virtualization  Easy deployment  Locally deployable  Efficient experiments  Images generation time: 60 seconds  Boot-strap time: 90 seconds  Tear-down time: 10 seconds A Worm Playground In “Fighting Computer Virus Attacks”, Peter Szor, USENIX Security Symp., 2004 [RAID’05]

 State-of-the-art malware defense  Running anti-malware software inside the monitored system  Advantage: They can see everything (e.g., files, processes…)  Disadvantage: They may not see anything! VirusScanFirefox IE OS Kernel … OBSERV: “Out-of-the-Box” Malware Detection

Why “Out-of-the-Box”?  Current approach fundamentally flawed  Anti-malware software and protected software running at the same privilege level  Lack of root-of-trust  Solution: Going “out-of-the-box” Firefox IE OS Kernel … VirusScan Virtual Machine Monitor (VMM)

The “Semantic-Gap” Challenge  What we can observe:  Low-level states  Memory pages, disk blocks…  Low-level events  Privileged instructions,  Interrupts, I/O…  What we want to observe:  High-level semantic states  Files, processes…  high-level semantic events  System calls, context switches… Virtual Machine Monitor (e.g., VMware, Xen) Guest OS Semantic Gap VirusScan

Our Solution: OBSERV  OBSERV: “Out-of-the-Box” with SEmantically Reconstructed View  A new mechanism missing in existing VMMs Firefox IE OS Kernel … Virtual Machine Monitor (VMM) OBSERV [ACM CCS’07]

New Capabilities Enabled by OBSERV Capability II: Malware detection by view comparison Capability II: Malware detection by view comparison Capability I: Invisible system logging Capability I: Invisible system logging Firefox IE OS Kernel … Virtual Machine Monitor (VMM) OBSERV Capability III: External run of COTS anti-malware software Capability III: External run of COTS anti-malware software OBSERV View Inside-the-box View Diff

AutoFormat: Malware Protocol Reverse Engineering  Given malware binary, infer malware protocol format [NDSS’08]

Inferring Slapper Worm (Botnet) Protocol Nested data structure declaration Compiler inserted gap

VIOLIN: Portable, Adaptive Virtual Environments  Adaptive Virtual Environments on a shared hosting infrastructure Internet DB [TR’03, IEEE Computer’05]

Adaptation Architecture and Sample Scenario (Demo) VIOLIN Switch Monitoring Daemon VIOLIN Switch Monitoring Daemon VIOLIN Switch Monitoring Daemon Adaptation Manager VMs Physical Network Scale Up CPU Update Migrate VMM VIOLIN Switch [IEEE ICAC’06]

Live VIOLIN Snapshot (Demo)  Useful for application and OS transparent recovery from  Crashes, failures, and disasters  Unexpected power/network outage  And for VIOLIN replay Hosting center SnapshotResume [ACM/IEEE VTDC’07]